Feature Request: Use AWS IAM Role to access S3 buckets

[guohaolee]

Hi Team,

Is there a way to access s3 bucket using ec2 instance profile?

Currently we deployed a EC2 to host the docker image of privatebin/s3.

However, it's unable to use the ec2 instance metadata to extract instance profile credentials to access the S3 bucket.

This feature is quite useful as we'll not need to manage the AWS keys which is a security risk.

[elrido]

There probably is - surely you can extract that using your config management of choice and inject it into the containers conf.php. Unfortunately I don't think any of the maintainers has any AWS or knowledge on the subject, so I'd recommend looking for further details answer in the AWS customers forums or helpdesk. There may be mechanisms for the AWS PHP SDK to pick this up from environment variables, if the right ones get passed through to the container, but I'm no expert on that subject either.

[elrido]

We have just released PrivateBin 1.5.2 which includes a feature that should let the AWS SDK use the default credentials provider chain, which will look for credentials in a few places automatically, including environment variables or instance roles, if the credentials are not set in the configuration file. For details on these credential options, see the SDK's documentation on the default credentials provider chain. Please let us know if this covers your use case.

[fenak]

Hey @elrido, I had the same issue trying the new image today, as we chat at the time, there are some missing env vars to be made available to php-fpm, I'm opening a PR with a possible fix so you can review it.

[fenak]

Hi @guohaolee, if you see #158, @elrido mentioned there's a new Docker image available with tag 1.5.2-alpine3.18.2-aws-env with a fix to allow IAM roles to be used with the Docker image. You should be able to deploy it using IAM roles now.

[guohaolee]

Thanks @fenak ! I have tested it and it's working now!

Are we going to standardise the tag in future with the current S3 tags?

[fenak]

@guohaolee I'm not involved with the project, just contributed with the feature, but from what I can see here on https://hub.docker.com/r/privatebin/nginx-fpm-alpine/tags the 1.5.2 got updated, it has the same hashes as 1.5.2-alpine3.18.2-aws-env. So, if you haven't pulled the images yet, or you can force the images to be pulled again in case the old ones are cached on your instance, you should be able to use 1.5.2. As this is fixed now, any future release should be fine, wouldn't need a specific tag to work with the AWS stuff.

[elrido]

@guohaolee Just confirming that fenak is correct. The tagging scheme used is documented at https://github.com/PrivateBin/docker-nginx-fpm-alpine#image-tags

In a nutshell, 1.5.2-... is the immutable tag for that specific change and whenever one is produced (usually when the alpine base image gets updated) 1.5.2 (and "stable") gets re-tagged to that latest image.

Some users prefer to use the immutable tags to ensure they can track what got deployed, others prefer to use "stable" and have a mechanism that refreshes these when new ones get pushed. We hope this accommodates either use case.

[guohaolee]

@fenak @elrido Thanks for the update.

It works fine with the 1.5.2 tags!

Once again thank you so much for implementing this! This definitely help in security wise as we don't need to manage any keys at all!